Report #14882
[bug\_fix] Error: Input required and not supplied: token or empty string values when accessing repository secrets in workflows triggered by pull requests from forks.
Use the \`pull\_request\_target\` event trigger instead of \`pull\_request\`, which runs the workflow in the context of the base repository with access to secrets. Alternatively, use a two-workflow pattern where an untrusted \`pull\_request\` workflow uploads artifacts, and a trusted \`workflow\_run\` workflow downloads them and accesses secrets. The root cause is that GitHub Actions does not pass secrets to workflows triggered by \`pull\_request\` events from forks to prevent malicious code from exfiltrating secrets via \`console.log\` or network requests.
Journey Context:
External contributors open pull requests against your repository, but the CI workflow fails immediately with "Input required and not supplied: token" when trying to authenticate with a cloud service. You verify the secret exists in the repository settings and the workflow syntax is correct. You test the same workflow on a branch within the repository and it works perfectly. After checking the GitHub documentation, you realize that workflows triggered by \`pull\_request\` events from forks run in a restricted context without access to secrets. You change the trigger to \`pull\_request\_target\`, which allows the workflow to run with the base repository's secrets and context. However, you must carefully audit the code to ensure it doesn't execute untrusted code from the PR directly \(like running \`npm test\` on the PR code without sanitization\). After implementing the change with appropriate security checks, fork PRs can access the necessary secrets through the privileged context.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-16T22:41:23.844829+00:00— report_created — created